SEC Increases Focus on Cyber Incident Response

In the past few years, we have seen an uptick in agencies beginning to focus on the cybersecurity readiness and response of organizations subject to their jurisdiction.

The U.S. Securities and Exchange Commission (SEC), for example, has identified cybersecurity as a top priority for many years. This past June, the SEC named Stephanie Avakian and Steven Peikin as the new co-directors of the enforcement division. Peikin noted that “[t]he greatest threat to our markets right now is the cyber threat.” What has generally been a focus on urging companies to bolster their cybersecurity prevention efforts may be making a shift toward an expectation that companies respond efficiently and effectively in the wake of a data breach. Such a shift is not surprising, given that many experts believe that security breaches are increasingly inevitable.

Given the growing recognition that, even with robust and mature information security programs, incidents will occur, the SEC and others are looking to frame appropriate regulatory responses. Recent SEC comments place an increased importance on how companies are identifying and responding to cybersecurity incidents.

By increasing regular examination of regulated entities, such as broker dealers and investment advisers, these entities will likely have more direct oversight and scrutiny of their information security programs. In addition, direct regulatory oversight of financial institutions subject to the SEC’s jurisdiction, and broader scrutiny of public companies and their security breach-related disclosures, seems probable. “In the wake of a breach, we are going to ask questions and look at disclosures before and after an incident,” said Avakian.

The SEC is cognizant of the fact that enforcement in the form of fines on public companies can lead to negative consequences to seemingly innocent parties, such as shareholders. However, the SEC has brought several enforcement actions against registered firms, including a $1 million fine related to allegations of a failure to meet the “safeguards” rule under the Gramm-Leach-Bliley Act. As the SEC’s focus shifts more resources to cybersecurity enforcement, it would not be surprising to see the agency examine disclosures relating to data breaches, or the timing of disclosure of such incidents, more closely. Now more than ever, companies may be held accountable if they fail to invest in data security, or prepare and respond to cyber-attacks adequately. While the companies may view themselves as victims, the market, and those tasked with protecting investors and the market, seemingly do not.